8.5+ million user records from royalty-free image website leaked on Russian hacker forum

123RF.com is “actively notifying the necessary authorities and 123RF.com members to work with them to remedy the situation” and “tightening the security policies to include tighter passwords and IP detection to combat suspicious log-ins.”

3GB of an SQL database containing user data that belongs to 123RF.com, a royalty-free image website, was recently leaked on a Russian hacker forum.

123RF.com is a Malaysia-based digital stock content agency that sells royalty-free images, footage, and audio. It is part of the Inmagine group and has over 12 million monthly active users, including clients like Apple, Google, Amazon, and Microsoft.

Graphical user interface, application

Description automatically generated

(Image: Forum post regarding the leak on the hacker forum)

The 8,500,246 user records stored in the leaked part of the database include the users’ full names, email addresses, IP addresses, locations, passwords that have been hashed using the MD5 hashing algorithm, and more.

The latest data contained in the database appears to have been exfiltrated from 123RF.com data center on March 22, 2020, and presumably used for malicious purposes for more than eight months. According to 123RF.com, the source of the breach was traced to an unauthorized access at the company’s data center. After breaching the data center, the attacker “proceeded to copy the membership data,” 123RF.com told CyberNews.

A 123RF.com representative stated that the company is “unable to prove conclusively that the sample size provided covers the entire figure” of 8,500,246 million user records.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What data is contained in the leak?

Only part of the database has been leaked on the Russian hacker forum. This appears to be a user data table that potentially combines multiple leaks of 123RF.com data, ranging from as far back as 2006 to March 2020. According to comments by a 123RF.com representative, the company assumes that the database is about a year old and is “not the latest 2020 version as alleged by the threat actor.”

The leaked file, which is 3GB in size, consists of 47 table columns and contains 8,500,246 user records. This includes:

  • User IDs
  • Full names
  • Location data (city, state, street address, postcode)
  • Phone numbers
  • IP addresses
  • Email addresses used to log into 123RF.com
  • Email addresses used to log into PayPal
  • Email addresses used to log into Facebook
  • User Facebook IDs
  • Account passwords (MD5 hashed)

Example of leaked user records:


Description automatically generated

The 123RF account passwords stored in the leaked file were hashed using the ineffective MD5 hashing algorithm. While marginally better than storing passwords in plain text, malicious actors could still crack and convert MD5 hashed passwords to plain text within a reasonable timeframe and without too much effort.

What’s the impact of the 123RF.com data leak?

The data found in the leaked file can be (and presumably has been) used in a wide variety of ways against 123RF.com users whose information was exposed, which includes:

  • Using the data from the leaked file to mount targeted phishing attacks or commit identity theft
  • Committing spear phishing attacks against enterprises whose data was exposed in order to plant ransomware or execute malicious bank transfers
  • Using credential stuffing to compromise the users’ accounts on other online platforms
  • Spamming the victims’ emails, phones, and Facebook accounts
  • Brute-forcing the passwords of the users’ email, PayPal, and Facebook accounts
  • Using leaked IP addresses to scan user devices connected to those IP addresses for known vulnerabilities

In response to the breach, 123RF.com is “tightening the security policies to include tighter passwords and IP detection to combat suspicious log-ins.”

“We wish to reiterate that we take the privacy and data of our customers seriously and have at all times been vigilant with the handling of our customer’s data.”


Since it appears that only a part of the database has been leaked on the Russian hacker forum, there is a possibility that the owner of the file is in possession of more data related to 123RF.com and its users.

What to do if you have been affected?

If you have a 123RF.com account and your data has been compromised in this leak, we recommend you:

  • Immediately change your 123RF.com, PayPal, and Facebook passwords and consider using a password manager to create strong passwords.
  • If you have been using an identical password for any other online services, change it on those other websites as well.
  • Enable two-factor authentication (2FA) on all your other online accounts.
  • Watch out for potential phishing emails and messages. Do not click on anything suspicious or respond to anyone you don’t know.

Leave a Reply

Your email address will not be published. Required fields are markedmarked